Control Administrator Access

Learn more about Control Administrator Access.

Managing privileged passwords, including local administrator, service account and embedded application passwords, is a challenge in most organizations. There are often too many passwords, distributed across too many devices, with too many inter-dependencies. As a result, privileged passwords are often static, simple and well-known.

IT staff often retain privileged passwords long after they leave and attackers have long time windows to attack service and application passwords.

These security problems may violate regulatory requirements for privacy protection or transparent corporate governance.

Privileged access management systems secure access to administrator and other accounts with elevated privileges on systems and applications. This is typically done through a combination of:

  • Discovering systems and applications where privileged accounts exist.
  • Extracting a list of accounts from each system.
  • Applying policy to determine which accounts to manage.
  • Periodically randomizing passwords to these accounts.
  • Storing these random passwords in a secure credential vault.
  • Authenticating users who need to access these accounts.
  • Applying access control policy to determine what users are allowed access to which privileged accounts.
  • Providing one or more access disclosure mechanisms to connect approved users to privileged accounts.
  • Controlling how many users may concurrently sign into the same privileged account.
  • Logging and reporting on this access.

Hitachi ID Privileged Access Manager secures privileged accounts across the IT landscape and at large scale:

  • It periodically randomizes passwords to privileged accounts.
  • Users must sign into Privileged Access Manager before they can access privileged accounts. This is an excellent opportunity to require strong, multi-factor authentication. This also allows organizations to apply a central authorization policy -- who is allowed access to which account, when and from where?
  • Privileged Access Manager launches login sessions on behalf of users, without displaying passwords -- single sign-on.
  • Privileged login sessions can be recorded, including screen capture and keyboard capture. This creates strong accountability and forensic audit trails.

Return to Identity Management Concepts